[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Management of Ceritificates in IKE

To: ipsec@tis.com, "'Kalyan Chakravarthy Bade'" <kalyan@trinc.com>
Subject: RE: Management of Ceritificates in IKE
From: Greg Carter <greg.carter@entrust.com>
Date: Mon, 11 Jan 1999 09:39:21 -0500
Sender: owner-ipsec@ex.tis.com

> ----------
> From: 	Kalyan Chakravarthy Bade[SMTP:kalyan@trinc.com]
> Sent: 	Monday, January 11, 1999 5:42 AM
> To: 	ipsec@tis.com
> Subject: 	Management of Ceritificates in IKE
> 
> Hi
> 
> In IKE, how do we manage the certificates in digital signature
> authentication?
> Is it ok if we get the certificates of peers out of band, say by e-mail
> from
> the peer itself and use them ? or do we need to get the certificate chain
> from the CA
> ?
> 
Yes you can get the end entity certificate out of band, it does not need to
come in the IKE exchange, however this is usually the most convenient. 

As for the CA certificate, before beginning an IKE exchange you will always
trust at least one CA.  When validating the peers certificate you must be
able to build a chain of trust from the CA that signed the peers certificate
to the CA you trust.  This "chain" can be delivered to you in IKE, or you
can build it yourself  (look it up using LDAP).  The important point being
that you must be able to establish a link between the CA you trust and the
CA that the peers certificate was signed by.  

> And is there any protocol to manage the certificate repository ?
> 
LDAP (X.500) are the most common, assuming X.509 certificates.

Bye.
----
Greg Carter, Entrust Technologies
greg.carter@entrust.com

Prev by Date: Management of Ceritificates in IKE
Next by Date: Re: Can ID be different than SubjectAltName field of the Certificate
Prev by thread: Management of Ceritificates in IKE
Next by thread: Test Vectors
Index(es):
- Main
- Thread